Rotation Overview

Prerequisites

An active license is required in order to use the features available with KeeperPAM. This license is available for both business and enterprise customers.

• KeeperPAM Homepage

• Request a Demo

• Contact Support

Prior to setting up password rotation, make sure to have the following set up:

• Learn about KeeperPAM in the Getting Started section

• Enable Enforcement Policies

• Deploy a Keeper Gateway

• Create a PAM User record

• Create a PAM Resource

• Configure rotation settings

Enable Enforcement Policies

Enforcement policies for KeeperPAM password rotation are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.

For Password Rotation capabilities, enable the necessary policies:

ALLOW_SECRETS_MANAGER

ALLOW_PAM_GATEWAY

ALLOW_PAM_ROTATION

ALLOW_CONFIGURE_ROTATION_SETTINGS

ALLOW_ROTATE_CREDENTIALS

Rotation can also be enabled on the Keeper Commander CLI using the enterprise-role command:

enterprise-role "Keeper Administrator" --enforcement "ALLOW_SECRETS_MANAGER":true
enterprise-role "Keeper Administrator" --enforcement "ALLOW_PAM_GATEWAY":true
enterprise-role "Keeper Administrator" --enforcement "ALLOW_PAM_ROTATION":true
enterprise-role "Keeper Administrator" --enforcement "ALLOW_CONFIGURE_ROTATION_SETTINGS":true
enterprise-role "Keeper Administrator" --enforcement "ALLOW_ROTATE_CREDENTIALS":true

Deploy a Keeper Gateway

If you haven't yet created a Keeper Gateway yet, a new Gateway deployment can be created by clicking on Create New > Gateway from the Web Vault or Desktop App (version 17.1 or newer). We have also posted a page describing how to create a sandbox environment in just a few steps:

• Quick Start: Sandbox

Create an Application

When you use the Gateway using the Create New > Gateway feature, Keeper will automatically create the Secrets Manager Application, Shared Folders and PAM Configuration. In the Secrets Manager section of the vault, you'll see the Application assigned to Shared Folders and also assigned to the Gateway.

Create a PAM User record

A PAM user record holds a privileged account credential, password or private key. For steps on creating a PAM User, follow this page. The example below shows a PAM User record for an admin password on a Windows server. The PAM User record is added to a Shared Folder containing user accounts.

Create a PAM Resource

A PAM Resource represents a Machine, Database or Directory.

Configure rotation settings

Record Types for Rotation

The rotation of credentials is restricted to the PAM User record type.

When you have activated Keeper Secrets Manager or KeeperPAM, the following new record types will be available to users:

• PAM User Contains a login / password, private key, or both.

• PAM Directory Information about your on-prem or cloud-based directory

• PAM Database Self-hosted or managed cloud-based databases such as MySQL, SQL Server, etc.

• PAM Machine Windows, Linux, macOS machines on-prem or in the cloud

• PAM Remote Browser Remote browser isolation to protect web-based applications

All 5 record types can be added in the Vault, placed in folders, and shared like any other Keeper records.

• See PAM Resources

PAM Configurations

When rotation is activated, within the Secrets Manager screen of the vault you'll see a section called PAM Configurations. A PAM Configuration is an object which is contains the following:

• Environment Local Network, AWS or Azure

• Keeper Gateway Service which you install into your on-prem or cloud infrastructure

• Application Folder Shared Folder which contains the Secrets Manager application and associated records

• Administrative Credentials Keeper record which contains privileged credentials for performing rotation and discovery.

Customers may have any number of PAM Configurations, Applications and Gateways.

• More information on: PAM Configuration, Applications and Gateways

How to Rotate a Password

The basic steps to rotation of passwords in any target environment are:

• Add PAM User records to the Shared Folder

• Add PAM Resource (Machine, Database, Directory) records to a Shared Folder

• Configure rotation settings on each PAM User record

• Create a Secrets Manager application

• Assign the Secrets Manager application to the Shared Folders

• Set the shared folder permissions containing the PAM Users from Read Only to Can Edit

• Add a Keeper Gateway to the Secrets Manager application

• Create a PAM Configuration which ties everything together

• Assign rotation settings to the PAM User records

Rotation on Keeper Commander

For automation of Rotation capabilities, Keeper Commander supports KeeperPAM rotation using the following commands:

• pam action rotate

• pam action job-info

Example:

My Vault> pam action rotate -r 5NaygwI4LK1BDZmH3Ib
Scheduled action id: MfKbPR3ac6A/oBDZpctpOg==

My Vault> pam action job-info MfKbPR3ac6A/oBDZpctpOg== -g QPkRsR8KQm6_4vnHTcofZA
Job id to check [MfKbPR3ac6A/oBDZpctpOg==]
Execution Details
-------------------------
	Status              : finished
	Duration            : 0:00:17.525641
	Response Message    : Rotation completed for record uid 5NaygwI4LK1BDZmH3Ib
My Vault>

Services and Scheduled Tasks

Keeper Rotation can also update the "log on" credentials for Windows service accounts and scheduled tasks. See the Service Management documentation.

Record Import

Keeper supports importing in bulk from JSON format. See the Importing PAM Records section for more details.